Attackers Compromised Code-Checking Vendor's Tool for Two Months

A script used to upload sensitive reports—with access to credentials and datastores—likely sent information on hundreds, possibly thousands, of companies to attackers.

4 Min Read

In a software supply-chain attack reminiscent of the SolarWinds compromise, unknown attackers used a vulnerable tool published by code checking firm Codecov for a little over two months to collect sensitive development information from the company's clients.

Codecov, which provides tools and services to check how well software tests are covering code under development, in a statement published on Friday warned that attackers had modified a command-line upload tools to also send sensitive information to the attackers. At-risk data includes credentials, software tokens, and keys—and the data and code that could be accessed with those secrets—as well as the remote repository information.

The firm recommended that clients use a script to create a list of credentials that could be accessed by its software and consider those credentials and secrets compromised.

"If anything returned from that command is considered private or sensitive we strongly recommend invalidating the credential and generating a new one," Jerrod Engelberg, CEO of Codecov, said in a statement. "Additionally, we would recommend that you audit the use of these tokens in your system."

Codecov first became aware of the breach on April 1, after a customer reported a discrepancy in the check sum used to verify the integrity and authenticity of the tool. The company began investigating and has brought in federal law enforcement, Codecov said in its statement. The attackers likely had access to the system since the end of January, according to the company's investigation. While CodeCov did not specify how many clients were affected by the breach, its website states that more than 29,000 enterprises use its service.

A breach at a software supplier that could have impacted thousands of client firms puts the attack squarely on the level of the SolarWinds compromise, says Asaf Karas, co-founder and chief technology officer for Vdoo, an Internet-of-Things security platform.

"The Codecov system breach is yet another example that highlights the need to verify and scan any third-party software artifacts introduced to enterprise networks or applications, especially as part of the build chain," he says. "Shell scripts, in particular, aren't being given enough attention and coverage from a security tooling perspective, making them more exploitable and useful for adversaries."

The breach occurred when the attacker exploited a vulnerability in the process Codecov used to create Docker images for its own development. The attacker extracted the credential needed to modify a command-line tool, Bash Uploader, that client used to send reports to the company. The tool, instead, sent reports to a server at a third-party site.

Software supply chains have become a significant target of attackers. Increasingly, attackers have attempted to compromise open-source components and projects, using techniques such as dependency typosquatting or just buying a project outright. In addition, attackers have compromised the update mechanism for widely-used software as a way to deliver malware to customers, a technique used to spread NotPetya, infect users of Piriform's CCleaner, and compromise thousands of enterprises who use SolarWinds' Orion.

Bash Uploader Weaponized

In Codecov's case, the attackers turned the company's Bash Uploader—normally used to send software scanning reports to the company—into a Trojan horse, which also sent information on the victim's software environment, including the credentials needed to access parts of that environment.

As of the evening of April 15, the company had reached out affected customers but stressed that its investigation is ongoing.

"We are still actively assessing the impact of this event on our customers," the company said, adding, "Out of an abundance of caution, if you used the Bash Uploaders between January 31, 2021 and April 1, 2021 and did not conduct a checksum validation of the Bash Uploader, we would suggest you re-roll all of your credentials, tokens, or keys located in the environment variables in your CI process."

Codecov replaced the malicious script as of April 1 and has taken a number of steps to defend its software and network, including regenerating all internal credentials and software keys and auditing where and how the leaked key was used, the company said. The firm has also begun monitoring the Bash Uploader program to make sure that the same type of attack does not happen in the future, CEO Engelberg said in his statement.

Codecov declined to provide a comment to Dark Reading, beyond its public statement. The company has not attributed the attack to any group or nation-state.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights